Hi all,
A month or so ago the WebID spec came up in discussions on this list. An older criticism by Brad Hill was mentioned and Edward O'Connor also joined in with some of his own points. Those issues were to be fair, ones arising out of what was a very incomplete and still badly written specification - I do have to admit. In the past month and a half since the discussion on this list, we have done some very serious work on the specification reworking a lot of the text, adding some much more detailed diagrams, and clearing up the misunderstandings we felt those had led to.
I invite you to please look again at the spec which is now up here
http://www.w3.org/2005/Incubator/webid/spec/
alias http://webid.info/spec
Perhaps just to take one point from Brad Hill's message [1]
> 1. The existing install base of TLS terminators cannot support the protocol
We have now in our diagram ( http://webid.info/spec#authentication-sequence ) distinguished between the TLS-Light Service and the Application level Guard. The TLS service is now clearly explained to be a normal TLS endpoint minus essentially Trust management. So I think the install base of TLS should be able to deal with this.
> 2. TLS terminators must communicate WebID context to apps
They only need to pass the certificate to what we name the Guard, which will pass the WebID claims to the WebID verifier.
> 3. Performance and scalability is terrible relative to server-auth-only TLS
Server-auth should require verification of client certificates. So there is not much loss and much to gain because of the growth
in distribution which CAs don't allow. Any other protocol needs something similar. We also allow these to be done in an asynchronous
way.
Anyway, I think these points now come out much more clearly in the specification.
Please let us know if there are other issues that you see. We welcome feedback.
Sincerely,
Henry Story, WebID Incubator Chair
[1] http://lists.w3.org/Archives/Public/public-xg-webid/2011May/0127.html
Social Web Architect
http://bblfish.net/